Anterovium - Fotolia
According to McAfee's recent report, "Building Trust in a Cloudy Sky," hybrid cloud adoption increased threefold in 2016, reaching 57% of enterprises surveyed in the report. RightScale's sixth annual State of Cloud Report revealed 85% of enterprises have a multicloud strategy, up from 82% in 2016. A reoccurring theme of these surveys and others is the downside of hybrid cloud adoption -- the associated costs and challenges of implementing and maintaining security controls required by regulatory authorities.
The very advantages hybrid cloud offers of sharing compute power, services and resources of a service across a public and private cloud also result in the need to verify ongoing regulatory and contractual compliance. Once two cloud environments have established trust needed to store, process and transmit regulated information between themselves, a common landscape of compliance must be met and maintained.
Implementation and maintenance of the security controls is challenging, as enough of the security standards and certifications are based on interpretation of general industry terms. Therefore, tools and services comprising on-premises and off-premises security portfolios will differ; like-for-like security control systems may not exist between private and public cloud environments. The cause for debate is typically related to each party's view of particular vendors offering effectiveness. For example, perhaps on-premises advanced persistent threat technology along with intrusion detection and intrusion prevention systems is required, whereas the cloud service provider considers IDS and IPS sufficient.
Beyond different technologies, audits and certifications may differ, which can result in seeming control gaps. What if the cloud provider has ISO 27001:2013 and 27017:2015 certifications, yet your organization must meet a more stringent federal, state or contractual compliance? When an organization deploys hybrid systems, this is where control inheritance may be leveraged.
Understanding control inheritance
The National Institute of Standards and Technology (NIST) provides several special publications for control inheritance guidance: NIST 800-37 rev 1, the Guide for Applying the Risk Management Framework to Federal Information Systems, and NIST 800:53 rev 4, the Security and Privacy Controls for Federal Information.
Both documents identify three control categories: common, hybrid and system-specific. We are interested in common and hybrid, as they are offerings capable of providing controls for multiple information systems across multiple security zones or service layers. This characteristic of coverage makes the control inheritable. For example, if a security regulation or standard requires a control providing authentication and authorization for all services in a tool or platform, it is more cost-effective to authenticate users against an enterprise directory, such as LDAP or Microsoft Windows Active Directory, rather than local platform or vendor proprietary directories.
Control inheritance applies to administrative -- meaning documentation, such as policies or user-awareness training -- and physical controls.
Specific to NIST 800-53, contextualization of information systems is defined as physical, logical and virtual. This is helpful to organizations with highly virtualized infrastructures; they may leverage virtual mechanisms as controls, thereby reducing the sprawl of physical equipment, such as virtual routers and firewalls. Both can be deployed in a multileg design providing isolation at the physical layer and then building in more isolation logically and virtually allowing a single physical offering to scale across multiple information systems and services.
Specific to NIST 800-37, information systems and boundaries are defined, along with explaining reciprocity. An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, dissemination or disposition of information. Simply put, it is a system comprised of administrative, technical and physical subsystem components.
Information system boundaries are the set of information components enforcing authorization across an information system. An enterprise user directory is an example of an information system boundary, as it provides authentication and authorization of users to applications, platforms and services.
Reciprocity is the administrative mechanism enabling two or more organizations mutual acceptance of security assessments. This allows scaling of information system resources through reuse, along with acceptance of assessed security posture supporting information sharing. This is how an organization that is ISO 27001:2015-certified can accept a Federal Information Security Management Act high assessment from a cloud provider without that cloud provider becoming ISO 27001:2015-certified.
Designing hybrid cloud controls
Information access and flow are the last pieces of the puzzle that support control inheritance. Why? Access is the start of information system authentication and authorization. From there, a user's access flows through an information system. As mentioned previously, cloud migration reduces the costs of traditionally expensive systems, such as databases. It is fairly standard to deploy a service that has its portal hosted on premises, with back-end services hosted by a cloud provider. This is where control inheritance is leveraged.
- Identify where users will access the system; when users access via on-premises systems, inheritance will flow from your organization. If it's done off premises, then inheritance flows from the cloud provider.
- Determine the information flow for the entire information system and information system boundaries and components. You can identify components by service, such as application tier or database.
- Identify all on-premises information system boundaries providing authorization, such as firewalls, routers, user directories or identity and access management systems and communication channels.
- Categorize the boundaries; align your controls by category across your boundaries.
- Provide notation in a formal document -- such as a system security plan -- as to which controls are common, inheritable and system-specific. Each cloud provider must maintain notation regarding the state of their controls.
The above control design model supports sharing of controls across two or more organizations without deploying additional technology or personnel. Cloud identity and access management systems are important for any enterprises, especially when adopting more complex hybrid environments. Enterprises should explore access control inheritance and use it to their advantage to make a potentially complicated process much easier and more secure.
Learn more about cloud access security brokers and their uses
Find out how and when to install cloud-based remote access
Discover how to move applications to a hybrid cloud architecture